Click here to receive your FREE subscription to Campus Technology
Features
Data Privacy >> What We Can Learn From the Suits
2/3/2006
Best Practices for IT Security
1. Employ defense-in-depth practices, which emphasize multiple, overlapping,
and mutually supportive defensive systems to guard against single-point failures
in any specific technology or protection methodology. This should include
the deployment of antivirus, firewalls, intrusion detection, and intrusion
protection systems on client systems. Enterprises should also ensure that
they are actively monitoring their environments 24/7 against attack.
2. Turn off and remove unneeded services, especially default operating system
services that aren’t required.
3. If a blended threat exploits one or more network services, disable or block
access to those services until a patch is applied.
4. Always keep patch levels up to date, especially on computers that host
public services (such as HTTP, FTP, SMTP, and DNS servers) and are accessible
through a firewall.
5. Enforce an alphanumeric password policy, and consider embracing biometric
technology to replace passwords on highly sensitive systems, such as financial
operations.
6. Configure e-mail servers to block or remove e-mail that contains file attachments
that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF,
and .SCR files.
7. Isolate infected computers quickly to prevent further compromise within
the
organization. Perform a forensic analysis and restore the computers using
trusted media.
8. Train employees and students not to open attachments unless they are expecting
them. Also, do not execute software that is downloaded from the Internet unless
it has been scanned for viruses.
9. Ensure that emergency response procedures are in place. This includes
having a backup-and-restore solution in place in order to restore lost or
compromised data in the event of a successful attack or catastrophic data
loss.
10. Educate management on security budgeting needs. Enterprises typically
spend about 5.9 percent of their IT budgets on security. That figure is expected
to rise to 8 to 10 percent by 2008, according to Gartner Inc (www.gartner.com).
11. Test security to ensure that adequate controls are in place.
12. Ensure that only applications approved by your organization are deployed
on desktops, mobile systems, and servers. Remember, both spyware and adware
could be automatically installed on systems along with file-sharing programs,
free downloads, and freeware and shareware versions of software, or by clicking
on links or attachments in e-mail messages, or via instant messaging clients.
Sources: Symantec, Gartner, et al
Best Practices from Business
Meanwhile, university CIOs can also glean security lessons from their counterparts in corporate America. In particular, many businesses are more effectively addressing patch management. And that’s no small feat. During a typical month, IT managers must examine, test, and deploy multiple patches for operating systems and applications across servers, desktops, and mobile systems. Failing to deploy a patch in a timely manner can leave systems open to cyber prowlers. Deploy a patch too soon—without proper testing—and the new code could wind up conflicting with other IT systems, and knock applications offline.
What’s a CIO to do? Progressive IT organizations are using a combination of systems management software (such as LANDesk Software’s Security Suite; www.landesk.com), and application management software (such as Macrovision Corp.’s FLEXnet product family; www.macrovision.com). Macrovision’s software creates a database of all patches applied to all university systems. Using this database, administrators can determine which systems require additional patching. The database also allows IT managers to track potential conflicts between existing and new patches, according to a spokesperson for Macrovision. LANDesk’s software, in turn, pushes patches out to targeted systems in a matter of minutes.
Many enterprises have also embraced biometric technology to safeguard mobile and desktop systems used by CFOs, CEOs, and other executive leaders. The ThinkPad T43P notebook, from Lenovo (www.ibm.com), has built-in biometric technology that has won strong praise from corporate executives. Users simply slide a finger over a biometric reader (located close to the notebook’s keyboard) in order to log on to the system. “Through biometrics, we’re finally transitioning from passwords,” says Edward Golod, president of Revenue Accelerators (www.rac-inc.com), a sales consulting firm in New York. “Within the next two to three years, I think most executive leaders will make the switch to biometric-enabled notebooks.”
Remaining Threats
Despite biometrics and other emerging technologies, it’s difficult for universities and businesses to stay one step ahead of hackers. Indeed, CIOs must increasingly combat automated attacks, known as “bots” (short for “robots”). According to Symantec, bots are programs that are covertly installed on a user’s computer in order to allow an unauthorized user to control the system remotely. They are designed to let an attacker create an automated network of compromised computers—known as a bot network—that can be remotely controlled to collectively conduct malicious activities. In the first six months of 2005, more than 10,000 Internet-connected PCs were infected with bot software each day, according to Symantec. The best way to combat bot systems is to keep antivirus software and patches updated.
Meanwhile, CIOs are also keeping close tabs on their voice over IP (VoIP) systems. Roughly 75 percent of large US businesses have tested VoIP, according to Heavy Reading (www.heavyreading.com), an Internet site that tracks IP convergence. But as VoIP systems gain critical mass, they become larger and larger targets for attack. Indeed, VoIP systems can be vulnerable to a wide range of attacks, including:
- Attempts to discover legitimate IP phone addresses through so-called “directory harvesting” techniques
- The clogging of voicemail systems with voice spam sent as audio files
- Voice phishing, in which voicemails urge users to return calls and leave personal financial information
- Denial of service (DoS) attacks against voice servers
- Vulnerabilities in VoIP products that may be exploited for malicious purposes
Still, there’s no need to panic, says Dartmouth College (NH) CTO Brad Noblet. Dartmouth has used VoIP across its IT infrastructure for several years. Many of the VoIP systems are based on Windows servers. As a result, Noblet makes sure that those systems adhere to the same best practices for IT security and patch management found with other Windows-based servers at the university.
Even so, proper security remains a moving target for universities, businesses, and government agencies alike. “Unfortunately, any security fix is perishable,” notes former FBI CIO John. “The threats are dynamic. Therefore the fixes or solutions must be dynamic to stay ahead of the threats.”
Joseph C. Panettieri is VP of editorial content at Microcast Communications. He blogs
daily at www.techiqmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Tiffin U's New Online College to Use Pearson's eCollege for Course Management
Beginning this fall, students in Tiffin University's newest online program, Ivy Bridge College, will use eCollege, a course management system from Pearson, for all of their online courses. The 2,350-student Tiffin U is located in Tiffin, OH and offers both on-campus and online classes. Since 2005, those online courses have been managed through Jenzabar Internet Campus Solution.
- California Community Colleges Adopt SunGard Banner Software
California's Rio Hondo College and Sierra College have selected software from the Banner Unified Digital Campus and other solutions from SunGard Higher Education to help address their growing enrollments and to help improve student retention and services.
- Luidia Releases eBeam Interact 2.1 for Interactive Whiteboards
Luidia has released a new version its eBeam software for use with classroom-based interactive projection environments. eBeam Interact 2.1 offers both new and upgraded features, including enhanced screen recording and a comprehensive online image gallery, as well as the company's Scrapbook Image Writer feature.
- McGill U Library Scanning Rare Books with Kirtas
McGill University Library in Montreal will be using a Kirtas Technologies APT BookScan 2400RA to digitize its collections. The company says that the 2400RA is capable of acquiring page images at the rate of 2,400 pages per hour. The library will be working with Ristech, a Canadian reseller, to implement the digitization solution.
- Ball State U Web Sites Now Managed with Sitecore
Ball State University in Muncie, IN has gone public regarding its deployment of a Web site content management system from Sitecore. Ball State chose Sitecore's software to revamp its 220-plus sites, integrating common new media applications and garnering a next-generation user experience that has won several awards from education and new media marketing organizations. Now, Ball State maintains uniformity across all university Web sites and said it has enhanced its recruiting efforts through the site's new look and interface.
- Bio-Key Launches Emergency Alert Platforms for Schools
Bio-Key International has announced the release of two new emergency alert and management solutions for the education market. MobileSRO is designed specifically for the K-12 environment, while MobileCampus caters to higher education and other campus-based organizations.
